CVE-2022-29526 - golang.org/x/sys

webdevops / go-replace

Replace in file console utility written in golang (for eg. usage in docker images)

MIT License

50 stars 7 forks source link

CVE-2022-29526 - golang.org/x/sys #15

Open rchassaigne opened 1 year ago

rchassaigne commented 1 year ago

Hello,

When scanning a Docker image from webdevops with any inspector (eg: AWS Inspector). It only has one CVE remaining in the image. CVE-2022-29526 on file path: usr/local/bin/go-replace.

The recommanded remediation is : Upgrade your installed software packages to the proposed fixed in version and release.

Update sys to 0.1.0

Is it possible to upgrade this package to 0.1.0 ? Actually it is v0.0.0-20220928140112-f11e5e49a4ec

Regards.

nick-delgado commented 1 year ago

Hi,

I've experienced the same when scanning a Docker image that was built using webdevops/php-nginx:8.2 in AWS Inspector. The scan shows that the vulnerability CVE-2022-29526 exists on /usr/local/bin/go-replace.

It looks like the go-replace's dependency github.com/jessevdk/go-flags which is using the golang.org/x/sys package hasn't updated their dependencies.

rchassaigne commented 1 year ago

Hi,

It seems to be in go.mod but is marked as indirect. Maybe I should open a issue into go-flags to update the sys package dependencies ?

EDIT: An issues has already been opened in the package and the recommandation seems to uses another fork package : go-flags-fork with golang.org/x/sys v0.10.0 as dependancy.

Silmerias commented 1 year ago

No news, last commit / release a year ago. Dead project?